[CFT] new tables for ipfw

dteske at FreeBSD.org dteske at FreeBSD.org
Thu Aug 14 22:16:29 UTC 2014 

NB: Please CC me on replies, I'm off-list

> On 14-8-2014 14:46, Lee Dilkie wrote:
>> 
>> On 8/14/2014 08:08, Willem Jan Withagen wrote:
>>> I've found the notation ipnr:something rather frustrating when using
>>> ipv6 addresses. Sort of like typing a ipv6 address in a browser, the
>>> last :xx is always interpreted as portnumber, UNLESS you wrap it in
[]'s.
>>> compare
>>>     2001:4cb8:3:1::1
>>>     2001:4cb8:3:1::1:80
>>>     [2001:4cb8:3:1::1]:80
>>> The first and the last are the same host but a different port, the
>>> middle one is just a different host.
>>>
>>> Could/should we do the same in ipfw?
>> 
>> the first and second forms are valid, but as ipv6 addresses *with no
port*,
>> 
>> The third is an ipv6 address with a port.
>> 
>> If the intent of the second form is an address and port, it will not be
>> parsed that way by standard parsers and violates the ivp6 addressing
rfc's.
>
> I agree, but ipfw does not understand [2001:4cb8:3:1::1] last time I
tried.
> So I think you rephrased what I meant to say.

Might want to have a look at IPv6 address validators.

Execute on FreeBSD 9.3 or 10.1:
bsdconfig includes -adF 'ip.*6' | less -R

Or on FreeBSD 9.2 or 10.0:
less '+/ip[^ ]*6' /usr/share/bsdconfig/media/tcpip.subr
less '+/ip[^ ]*6' /usr/share/bsdconfig/networking/ipaddr.subr

(output from 9.3 command pasted below)

dteske at scribe9.vicor.com ~ $ bsdconfig includes -dF 'ip.*6'
>>> Functions in media/tcpip.subr matching `ip.*6':
+ f_validate_ipaddr6 $ipv6_addr

  Returns zero if the given argument (an IPv6 address) is of the proper
format.

  The return status for invalid IP address is one of:
        1       One or more individual segments within the IP address
                (separated by colons) contains one or more invalid
characters.
                Segments must contain only combinations of the characters
0-9,
                A-F, or a-f.
        2       Too many/incorrect null segments. A single null segment is
                allowed within the IP address (separated by colons) but not
                allowed at the beginning or end (unless a double-null
segment;
                i.e., "::*" or "*::").
        3       One or more individual segments within the IP address
                (separated by colons) exceeds the length of 4 hex-digits.
        4       The IP address entered has either too few (less than 3), too
                many (more than 8), or not enough segments, separated by
                colons.
        5*      The IPv4 address at the end of the IPv6 address is invalid.
        *       When there is an error with the dotted-quad IPv4 address at
the
                end of the IPv6 address, the return value of 5 is OR'd with
a
                bit-shifted (<< 4) return of f_validate_ipaddr.

>>> Functions in networking/ipaddr.subr matching `ip.*6':
+ f_dialog_ip6error $error $ipv6_addr

  Display a msgbox with the appropriate error message for an error returned
by
  the f_validate_ipaddr6 function above.

+ f_dialog_validate_ipaddr6 $ipv6_addr

  Returns zero if the given argument (an IPv6 address) is of the proper
format.

  If the IP address is determined to be invalid, the appropriate error will
be
  displayed using the f_dialog_ip6error function above.

(end pasted output)

Yes, the code is shell. But you can trivially convert the logic into
something like C using nothing more than strchr, strlen, and
fnmatch.
-- 
Devin

More information about the freebsd-ipfw mailing list